Thanks Peter for the info. I have further researched OpenID, and, while I think the concept is good, and I may in fact use it, it does not really solve the whole problem I have. I believe that OpenID is 'Orthogonal'. I would still need to sign in to each application. Still, it has some interesting applications, and would be easy for me to set up.... but, does not solve just logging in once to my server. Adding mod_auth_tkt to my apache server would allow a system-wide 'Basic' login, that could then be used by each application. Rolf Peter Todd wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, Oct 23, 2007 at 08:00:19PM -0400, Rolf wrote: > >> Hi All. >> >> I have a web server (Linux/apache) that runs a number of 'applications'. >> There are standard static web pages, as well as: >> In PHP -> webmail (squirrelmail), wiki (mediawiki), a photo gallery >> ("Gallery" 2.2), bug tracking (mantis), mysqladmin >> In Perl -> some simple custom CGI stuff (access to some logs, etc). >> In Java -> I have a tomcat server that is 'proxied' by the apache server. >> >> My wife and I routinely use these applications (OK, I use most, my wife >> uses some....). >> >> I have already 'secured' my server from the big bad world (HTTPS, >> firewall rules, etc), but I am looking to accomplish the following: >> >> I would like a single username/password to be supplied that will then be >> used to authenticate to each of the applications... >> >> Currently it is a real pain to have to login to each app individually. >> It is especially painful if the browser is currently logged in as my >> wife in one place, and me in another... >> >> HTTP authentication appears to be a good start (either basic, or digest, >> over HTTPS it's trusted), but there is no way to logout! >> >> The system I have is about to get expanded usage, I am going to allow >> remote access to my brothers, as well as some close friends. I would >> like to 'unify' the authentication processes for each of these things a >> bit better. >> >> In addition, each 'application' uses it's own authentication system >> (most have stuff stored in mysql tables). I would prefer to keep it >> linked to the same user accounts on the linux system. >> >> I have tried to google for things, but there is too much noise.... and >> no real content. >> >> I realise that I can go through each of my applications and >> reconfigure/rewrite the authentication to use a singe source of >> authentication (perhaps LDAP, or PAM), but that will still leave each >> app with it's own login/session. >> >> Is there someone out there with any insight in to this problem? Is there >> some standard? >> > > One interesting possibility would be to implement OpenID for all of your > apps. > > http://en.wikipedia.org/wiki/OpenID > http://openid.net/ > > The idea behind it is that, essentially, you get a single OpenID stored > on a server of your choice. Every app, from *anywhere*, that wants to > authenticate you simply has you enter your open id, which is in the form > of a url, mine is just petertodd.org The app you are trying to > authenticate with then uses that url to contact the authentication > server and verify your identify through some HTTP sessions magic. > > With OpenID not only would your apps get a single login, but you'd have > a login that'd work on any OpenID enabled site. Currently that doesn't > include too many sites, but does include some interesting heavy hitters > like livejournal.com > > One cool thing about OpenID is that you can delegate ids. So if you have > access to *any* sort of webhosting, you can put up a specially crafted > webpage using some simple html tags that essentially says "if you're > using http://joe.com as an OpenID authentication url, redirect to > http://joe.openidauthenticator.com" > > Basically even if you don't have the minor resources to setup the > authentication server, which is just a php script, you can *really* > easilly setup a redirect page. The advantage of this is that if, say, > openidauthenticator.com goes out of business, you can change > your joe.com websites redirect and keep using joe.com as your ID. > > My redirect setup is the following, visible if you go to my webpage and > hit view source: > >
> (snip) > > > > > I then use the phpMyOpenID script from > http://labs.bendodson.com/phpmyopenid/ to do the actual authentication. > Your users can use free authtication sites, or you can very easilly > setup your own. > > > For you to use it you'd have to make each app support openid > authentication. Then the openid would be used as the key in your > database to each account's data. > > - -- > http://petertodd.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFHHrsu3bMhDbI9xWQRAttnAJ9ruFfGnZnQamo247I6bwV/IyWc6ACfXvo8 > k7vuQBKT2zLoEeiz4zrwLxk= > =ahft > -----END PGP SIGNATURE----- > -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist